Saturday, April 30, 2011

Pay For Secure Coding, Not Lawyers

Is it cheaper to get a lawyer to fix your buggy software than to hire or train your programmers how to handle data safely? Must be, cauz that's what drives business decisions, right?! Money. Apparently this is the case in Germany with the Magix Incident.

Here the researcher appears to have tried responsible disclosure. Notifying the vendor, even working with the vendor. All PoC code and flaw description is given to the vendor then the vendor sues! Wait, WTF!?! Someone is trying to help you fix flaws in your software, then you bend them over?! Someone who was helping you with his time FOR FREE (as in beer), donating time. Someone who went to the vendor with the flaw, not the exploit market, not directly to public disclosure. WTF?!

Filing a lawsuit against a security researcher that has attempted to follow responsible disclosure practices shows the company doesn't really understand the business environment of software. I can't help but think the management conversation that led to the decision went something like this. "Let's throw lawyers at the problem, Jim. The problem isn't ours! These damn haxors breaking our beloved software. Someone should show them a thing or two about business.", "Sure Bob, that sounds great." No conversation about secure coding. No taking responsibility for the issue.

The way I see it, rather than paying full time employees to sit and audit code for a decent salary + benefits, throw a few bucks at the security researchers that spend their own time looking at your code. What's $500, $1000 (Mozilla bug bounty anyone?!) in the big scheme of things? A cheap ass code audit if you ask me! Surely you'll get more press and relationship mileage out of cooperating with researchers rather than bullying them with ridiculous law and people so far from the issue that they can't even begin to understand it.